Merge pull request #12485 from yuvalk/ipsec-install

ipsec: fix selinux labels on nss db dir
2026-02-05 06:46:04 +01:00 · 2024-02-09 12:28:32 -05:00
parent c2c12d00bf 28cc175bdf
commit 195af4864d
2 changed files with 30 additions and 15 deletions
--- a/roles/openshift_node/tasks/install.yml
+++ b/roles/openshift_node/tasks/install.yml
@@ -112,21 +112,8 @@
    name: "crio"
    enabled: yes

- name: Enable ipsec service
-  systemd:
-    name: "ipsec"
-    enabled: yes
-
- name: add nssdir to ipsec.conf
-  ansible.builtin.lineinfile:
-    path: /etc/ipsec.conf
-    insertafter: 'config setup'
-    line: "\tnssdir=/var/lib/ipsec/nss"
-
- name: create nssdir
-  file:
-    path: /var/lib/ipsec/nss
-    state: directory
+# handle ipsec installation
+- import_tasks: ipsec.yml

 # persistent storage in journal is needed for MachineConfig to work
 - name: Enable persistent storage on journal
--- a/roles/openshift_node/tasks/ipsec.yml
+++ b/roles/openshift_node/tasks/ipsec.yml
@@ -0,0 +1,28 @@
+---
+- name: Enable ipsec service
+  systemd:
+    name: "ipsec"
+    enabled: yes
+
+- name: add nssdir to ipsec.conf
+  ansible.builtin.lineinfile:
+    path: /etc/ipsec.conf
+    insertafter: 'config setup'
+    line: "\tnssdir=/var/lib/ipsec/nss"
+
+- name: create nssdir
+  file:
+    path: /var/lib/ipsec/nss
+    state: directory
+
+- name: set nss selinux context
+  command: semanage fcontext -a -t ipsec_key_file_t /var/lib/ipsec/nss
+
+- name: restore nss selinux context so it will be active
+  command: restorecon -r /var/lib/ipsec/nss
+
+- name: initialize nss db
+  command: ipsec initnss --nssdir /var/lib/ipsec/nss
+
+- name: make sure proper selinux label on nss db
+  command: chcon -R -t ipsec_key_file_t /var/lib/ipsec/nss